SOC 2 reports offer CPAs new opportunities to address clients' needs.

Several
prominent internal control breakdowns and increased focus on
internal control by regulators, boards of directors and others
charged with governance have led to increased demand for attestation
reports on controls over subject matter other than financial
reporting provided by an independent CPA. Neither Statement on
Auditing Standards (SAS) no. 70, Service Organizations, nor
the new standard that replaced SAS no. 70, Statement on Standards
for Attestation Engagements (SSAE) no. 16, Reporting on Controls
at a Service Organization, is intended to address controls
relevant to these risks.

In
response to this demand, the AICPA has developed the Service
Organization Control (SOC) reporting framework. The framework is
designed to help service organizations, their customers and CPAs
understand the types of examination reports a CPA can issue related
to service organization controls. The AICPA also has published new
guidance for attestation reports to help meet this growing demand
for internal control reporting.

The
SOC (commonly pronounced “sock”) framework includes three reporting
options. This article focuses on SOC 2 reports and engagements and
provides some additional information on SOC 3 engagements.

SOC
1 engagements are performed in accordance with SSAE no. 16 and focus
solely on controls at a service organization that are likely to be
relevant to an audit of a customer’s financial statements.

SOC
2 engagements are performed in accordance with AT section 101,
Attest Engagements, using the guidance provided in the
Guide Reporting on Controls at a Service Organization Relevant to
Security Availability, Processing Integrity, Confidentiality, or
Privacy (SOC 2) (the SOC 2 Guide).

A
SOC 2 engagement is designed to provide:

Organizations
that outsource tasks and functions a mechanism for improving
governance and oversight of service providers.

Service
organizations the ability to communicate the suitability of the
design and operating effectiveness of their controls through a
widely accepted reporting format.

CPAs
an opportunity to expand their attestation services through a
new report that meets a marketplace need. SOC 2 reports provide
users with:

(1)
A detailed description of a service organization’s system,
including controls designed to achieve the criteria for one or
more of the Trust Services principles. A Trust Services report for
service organizations is performed under AT section 101 using TSP
section 100, Trust Services Principles, Criteria, and
Illustrations for Security, Availability, Processing Integrity,
Confidentiality, and Privacy. Trust Services is defined
as:

A
set of professional attestation and advisory services based on a
core set of principles and criteria that addresses the risks and
opportunities of IT-enabled systems and privacy programs around
controls at the service organization that are relevant to one or
more of the Trust Services principles of security, availability,
processing integrity, confidentiality or privacy. Trust Services
principles and criteria are issued by the AICPA and Canadian
Institute of Chartered Accountants
(CICA).

(2)
An assertion by management regarding the fairness of the
description, the suitability of the design of the controls and,
for some engagements, the operating effectiveness of the controls;
and

(3)
A CPA’s opinion on the fairness of the description, the
suitability of the design of the controls and, for some
engagements, the operating effectiveness of the controls and
description of the tests performed by the CPA and the results of
those tests. The fairness of a service organization’s system is
measured using system description criteria set forth in the SOC 2
Guide while the suitability of design and operating effectiveness
of controls related to security, availability, processing
integrity, confidentiality or privacy are assessed using criteria
in TSP 100.

SOC
3 reports provide users with (1) an assertion by management that it
maintained effective controls to meet the Trust Services criteria,
(2) a short description of the service organization’s system, and
(3) a CPA’s examination report on either management’s assertion or
on the effectiveness of controls that meet the Trust Services
criteria. The fairness of management’s assertion assertion is
assessed using criteria in TSP 100.

It
is important to note that a system is more than just computer
hardware and software. It is the policies and procedures used by
service organizations to provide services to its customers. A system
includes physical environment and hardware components of a system,
application and operating system software, people, procedures and
data. As it relates to privacy, a system includes all aspects of the
life cycle of personal information, including how it is collected,
used, retained, disclosed and destroyed in conformity with the
commitments in the entity’s privacy notice and with criteria set
forth in Generally Accepted Privacy Principles (GAPP) issued by the
AICPA and CICA (see “GAPP
Targets Privacy Risks,” in this issue, page 52).

OUTSOURCING
AND ITS EFFECTS

Many
companies function more efficiently and profitably by outsourcing
tasks or entire functions to other organizations (service
organizations) that have the personnel, expertise, equipment or
technology to accomplish these tasks. As part of these services, a
service organization will often collect, process, transmit, store,
organize, maintain and dispose of information for its customers.
Examples of service organizations include cloud computing providers,
payroll processors, information security service providers and
information service providers.

Although
a company outsources tasks to a service organization, company
management retains its responsibility for the outsourced tasks and
the manner in which they are performed and is held accountable by
the company’s stakeholders, including its board of directors,
shareholders, customers, employees, business partners and
regulators. Many of these responsibilities can be grouped using the
Trust Services principles, which address security, availability,
processing integrity of the system used to provide the outsourced
tasks, and the confidentiality and privacy of information used by
the system. As part of its corporate governance, management of an
organization needs to address these responsibilities by:

Developing
procedures to identify risks resulting from its outsourcing
relationships.

Assessing
those risks.

Identifying
controls at the service organizations that address the
risks.

Evaluating
the suitability of the design and operating effectiveness of the
service organization’s controls.

Implementing
and maintaining controls to address risks not addressed by
controls at the service organization.

OBTAINING
INFORMATION ABOUT A SERVICE ORGANIZATION’S SYSTEM AND ITS CONTROLS

In
some cases, an organization’s management can evaluate the quality of
operations of a service organization and the suitability of the
design and operating effectiveness of the service organization’s
controls by establishing monitoring procedures that enable it to
prevent—or detect—and correct processing errors and control
exceptions by a service organization. To illustrate, as it relates
to processing integrity, the company initiates and records the
information it submits to the service organization for processing
and is able to compare the results of processing with its own
records. For example, an organization evaluates sales literature
fulfillment services performed by a service organization by
comparing the fulfillment statistics provided by the service
organization with the printing and mailing costs of the literature.

In
other cases, the company must rely either completely or partially on
the effective operation of the service organization’s controls. For
example, to meet its regulatory obligations and privacy commitments
to its patients, a health care provider that outsources the analysis
of patient service outcomes must rely on the privacy controls at the
service organization. In such a circumstance, the health care
provider has a limited ability to monitor the effectiveness of the
service organization’s privacy controls.

A
company may be able to get information about controls at a service
organization directly from the service organization. Often this
information comes from the service organization in the form of
“Frequently Asked Questions” or as part of the system description. A
service organization may also have a list of controls that it has
implemented. However, this information may have limitations, such as:

There
are no defined criteria for what constitutes an adequate
description of a system and its controls.

In
describing its systems, service organizations do not use a
consistent set of criteria for measuring whether a service
organization’s controls are suitably designed and operating
effectively.

Except
for controls likely to be relevant to user entities’ financial
statement assertions, service organizations have not had a
consistent and well-recognized method of providing an
independent CPA’s attestation report on its system description
or the suitability of design and operating effectiveness of its
controls.

SOC
2 engagements are designed to meet the needs of user entities and
other stakeholders by providing service organizations with criteria
for describing their systems, criteria for evaluating the
suitability of design and operating effectiveness of the service
organization’s controls, and an independent CPA’s opinion on the
description of the system and the design and operating effectiveness
of the service organization’s controls.

SIMILARITY
TO SOC 1 REPORTS

A
service organization may engage a CPA to report on controls at the
service organization that cover one or more of the Trust Services
principles of security, availability, processing integrity,
confidentiality and privacy. Service organizations undergo such an
engagement to provide copies of the SOC 2 report to their customers
and other intended recipients of the reports such as regulators and
business partners. The report enables users to secure evidence about
the effectiveness of internal control at the service organization as
it relates to one or more of the Trust Services principles.

The
written description of the service organization’s system includes,
among other things, the nature of the service provided to user
entities, procedures used to provide the service, and the service
organization’s controls that address the applicable Trust Services
criteria. While the written description is similar in form to the
written description prepared for a SOC 1 report, a SOC 2 report uses
the applicable Trust Services criteria in place of the familiar
control objectives of a SOC 1 report or a SAS no. 70 report.

Similar
to a SOC 1 report, there are two types of SOC 2 reports:

1. Type 1 report. The service auditor (the CPA performing
the engagement) expresses an opinion on whether the description is
fairly presented (that is, whether it describes what actually
exists) and whether the controls included in the description are
suitably designed. Controls that are suitably designed are able
to meet the applicable Trust Services criteria if they operate effectively.

2. Type 2 report. The service auditor’s report contains
the same opinions as those in a type 1 report but also includes an
opinion on whether the controls were operating effectively. Controls
that operate effectively do meet the applicable Trust
Services criteria as intended. A type 2 report also includes a
description of the service auditor’s tests of operating
effectiveness and the results of those tests so that users can
determine how the results of the service auditor’s tests affect a
particular company and meet its needs.

In
addition to preparing a written description of the service
organization’s system, management of the service organization has
certain other responsibilities in a SOC 2 engagement, including:

Defining
the scope of the engagement. Management determines which
service(s) and Trust Services principle(s) will be covered by
the SOC 2 report. In determining the scope of the system,
management of the service organization should consider the needs
of report users, including their regulatory obligations,
governance requirements and industry
practices.

Determining
whether to engage the service auditor to perform a SOC 2 type 1
or type 2 engagement, depending on the needs of
users.

For
type 2 reports, determining the time period covered by the
report. Unlike SOC 1 reports, there is no generally accepted
minimum useful period that a report needs to cover. However, the
period covered should be sufficiently long for the service
auditor to be able to opine on the operating effectiveness of
the controls and to meet the needs of report users. Service
organizations may wish to discuss the time period with their
service auditor.

Providing
a written assertion to be attached to the description of the
system. This written assertion by management confirms, to the
best of management’s knowledge and belief, that the description
is fairly stated, controls were suitably designed to meet the
applicable Trust Services criteria, and, for type 2 reports, the
controls were operating effectively throughout the period. For
type 2 reports addressing the privacy principle, management’s
assertion also confirms that management has complied with its
privacy commitments. The assertion also confirms that management
has a basis for making its assertion including the suitability
of the design and operating effectiveness of the service
organization’s controls.

Providing
written representations to the service auditor regarding its
written assertion and other matters, such as compliance with
laws and regulations and the completeness of the information
provided to the service auditor.

PERFORMING
SOC 2 ENGAGEMENTS

SOC
2 reports provide CPAs with an opportunity to meet the needs of
service organizations and their stakeholders that have long gone
unmet. Service organization customers have often asked for a SAS no.
70 report addressing controls that are not relevant to user
entities’ internal control over financial reporting. With the
issuance of the SOC 2 Guide, service auditors have a report
specifically intended to meet those needs.

Planning,
performing and reporting for SOC 2 and SOC 1 engagements are
similar. Service auditors experienced in performing SAS no. 70
examinations and now SOC 1 engagements should be well-prepared to
perform SOC 2 engagements. However, there are some unique factors a
service auditor should consider before accepting a SOC 2 engagement:

Ensure
they have adequate knowledge of the subject matter, since SOC 2
reports address the operating effectiveness and compliance
aspects of internal control rather than controls likely to be
relevant to a user’s internal control over financial reporting.
Such knowledge should include the understanding of both the
services provided and the Trust Services principles addressed by
the report. A service auditor may meet the knowledge requirement
through the use of one or more specialists as indicated in AT
section 101.

Consider
whether the period of the report is sufficient to meet the needs
of users and sufficient for the service auditor to form an
opinion on the operating effectiveness of the controls that meet
the applicable Trust Services criteria.

Consider
whether a SOC 2 report on the selected principles is likely to
meet the needs of users and whether the report is likely to be
misunderstood by those users.

The
service auditor should also discuss with the service
organization’s management that knowledge of the subject matter
and internal control is required of report users to reduce the
risk of report misunderstanding. Because of this risk, the
service auditor should reach agreement with service organization
management that use of the service auditor’s report will be
restricted and the intended users of the report should be identified.

SOC
3 REPORTS

Service
organizations may need a general-use report (or seal) instead of or
in addition to a SOC 2 report. In addition, a service organization
may not wish to provide details of controls in its system
description or a description that meets the criteria set forth in
the SOC 2 Guide. In these situations, the service organization may
choose to engage a practitioner (a CPA performing an attestation
engagement) to issue a SOC 3 report. A SOC 3 report is prepared
under AT section 101 using TSP section 100. A practitioner may
report on one or more of the five Trust Services principles.

In
the examination report included in TSP section 100, the practitioner
expresses an opinion on whether the service organization maintained
effective controls over its system, based on the criteria in TSP
section 100 that are applicable to the Trust Services principle(s)
on which the practitioner is reporting. Because SOC 3 reports are
for general use, they can be freely distributed or posted on a
website as a seal (for more information about the seal program, go
to www.webtrust.org).

Although
a SOC 3 report is designed to meet the needs of a broad range of
users, in many cases it will not provide a user with sufficient
detail about the design and operation of controls to meet his or her needs.

More
information about the right report to use in certain circumstances
is outlined in Exhibit
1 (opens in new window).

EXECUTIVE SUMMARY

CPAs have an opportunity to expand their attestation services
through a new SOC report.

SOC
2 engagements are designed to meet the needs of service
organization users and other stakeholders. They
provide organizations that outsource tasks and functions a
mechanism for improving governance and oversight of service
providers. They also enable service organizations to communicate
the suitability of the design and operating effectiveness of their
controls through a widely accepted reporting
format.

There are two types of SOC 2 reports. Type
1 reports provide a description of a service organization’s system
and a CPA’s opinion on the fairness of the description and the
design of the service organization’s controls. Type 2 reports also
add the CPA’s opinion on the operating effectiveness of
controls.

CPAs in public practice who are familiar with reports performed
using SAS no. 70 and SSAE no. 16 are well-positioned to accept
SOC 2 engagements to meet their clients’ needs. However,
there are some unique factors a service auditor must consider
first, such as whether the period of the report is sufficient to
meet the needs of users and sufficient for the service auditor to
form an opinion on the operating effectiveness of the controls
that meet the applicable Trust Services criteria, among
others.

Chris
Halterman (chris.halterman@ey.com)
is executive director of Advisory Services for Ernst & Young
LLP and is chairman of the AICPA Trust Services/Data Integrity
Task Force.

To
comment on this article or to suggest an idea for another
article, contact Kim Nilsen, editorial director, at knilsen@aicpa.org or
919-402-4048.

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.